Kernel_Killer
July 29th, 2004, 17:57
Now we will cover VPN setup using the ISAKMP Daemon. For this project, I recommend using OpenBSD as your base VPN concentrator, and using FreeBSD or OpenBSD for clients. The reason I say OpenBSD for the concentrator, is that the FreeBSD port of ISAKMPD isn’t as fully implemented as the OpenBSD native version. The most you can use the FreeBSD port for is client connects and a single host-to-host tunnel. OpenBSD allows a multi-homed setup, allowing multiple clients to connect and work together in unison.
If you are planning on using FreeBSD, there are a few things that need to be done. First you need to go to /usr/ports/security/keynote and install. Then you have a few things to be compiled to the kernel. You need to add these to the kernel configuration.
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security
Once you have placed that in your kernel, compile the new kernel, and reboot to apply the new settings.
Now we move to the configurations. First we want to make the directory /etc/isakmpd (OpenBSD) or /usr/local/etc/isakmpd (FreeBSD). In the new directory, you want to add these directories: ca/, certs/, crls/, keynote/, and private/. On the concentrator we will make a new file in /etc/isakmpd called isakmpd.conf. It will setup all the client connections, and how the concentrator will take care of incoming connections. First off, we do our Phase 1, section.
[Phase 1]
Default= ISAKMP-peer-default
This sets the default to the peer “default”. Next we go on to Phase 2 connections.
[Phase 2]
Passive-connections= IPsec-vpn-client1, IPsec-vpn-client2
This is showing two passive connections that will be handled. When they are passive, ISAKMPD will not connect based on their IP. This is perfect for clients with dynamic IP addresses.
Now we move to the peer sections.
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
[client1@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase
[client2@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase2
Here we have the peer sections. ISAKMP-peer-default is this system, and the clients are the ones we plan to have connected to the concentrator. We show that this is part of our Phase 1 connection, and that we will be using UDP with the default port of 500. During the setup of the connection, this client will use the Default-aggressive-mode, and use the pass phrase “passphrase”.
Now we move to the Phase 2 section.
[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client1
[IPsec-vpn-client2]
Phase= 2
ISAKMP-peer= client2@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client2
Here we have the two clients that will connect, but with a bit more configuration. If you notice, the IPsec-vpn-client1 is the same as the Passive Connection IPsec-vpn-client1. When the connection is being checked, it sees the passive connection, and come here for more configuration parameters. Also notice the ISAKMP-peer. If you go back up to our Phase 1 section, you will see we have a client1@vpn section, where this also looks for more settings. Next are the Local and Remote IDs. This will be our next section.
[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[Net-client1]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0
[Net-client2]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0
As you can see, these sections are also bonded to from other sections. This tells ISAKMPD what network the tunnel will be connected to from that client. After that we want to add our General configuration section.
[General]
Listen-on= 66.66.99.231
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/isakmpd.policy
Here we have the IP address that ISAKMPD will listen on, how many retransmits will be made during the connection process, how long it will wait for a key exchange during the connection process in seconds, and the check-interval checks all the connections every 300 seconds to make sure they are still live. The policy file path is what you should set it to for OpenBSD. I’ll talk more about FreeBSD later. Last part we will deal with in our configuration is the transforms.
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
Here is where the connection methods come into play. If you notice Phase 1 connections are using the Default Aggressive Mode. Even though aggressive mode is less secure than the alternative, Main Mode, it is quick, and allows slower concentrators to authenticate connections quicker. Here the section has ISAKMPD use 3DES and SHA for this phase. In Phase 2 we use the Default Quick Mode, which pushes it into the 3DES SHA Suite. The QM-ESP-3DES-SHA-SUITE means that we are using the ESP protocol with 3DES as the cipher for encryption, and SHA as the hash. Now this is the most basic setup for encryption. You can go as far as explicitly setting every algorythm to a certain purpose and using suites that encrypt the tunnel multiple times. You can find more in the OpenBSD isakmpd.conf(5) man page.
The Client Side
Now we will make an isakmpd.conf file for the clients. In OpenBSD we will create this file in /etc/isakmpd/, and /usr/local/etc/isakmpd/ for FreeBSD. These are the default directories that the ISAKMPD program will look for these files, so it will make it easy on your self to add them accordingly. Once again, we will start with the Phase 1 connections.
[Phase 1]
66.66.99.231= ISAKMP-peer-vpn
This of course matches the connection name of our concentrator “vpn”. This is the connection the client will make. Now we go to Phase 2 connections.
[Phase 2]
Connections= IPsec-client1-vpn,IPsec-client1-client2
This saying that this client, client1, will try to connect to both “vpn” and “client2”. Now to the Phase 1 peers section
[ISAKMP-peer-vpn]
Phase= 1
ID= client1@vpn
Transport= udp
Address= 66.66.99.231
Configuration= Default-aggressive-mode
Authentication= passphrase
Here it takes the Phase 1 connection, and connects to the IP 66.66.99.231, uses the Aggressive Mode to connect (Which is what is set on the concentrator end) and authenticates with the pass phrase “passphrase” to identify itself. We also need to add a section for the "client1@vpn" section.
[client1@vpn]
ID-type= USER_FQDN
Name= client1@vpn
Next we go to the Phase 2 section.
[IPsec-client1-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-client1-client2]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-client2
Here the client tells the concentrator what clients it plans to connect to, and what network it will connect to (Local) and what network it is (Remote). As you can see the peer is set to the concentrator, so that it gets it’s connections from there. Just like the concentrator’s configuration file, we’ll add a Client ID section.
[Net-client1]
ID-Type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0
[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[Net-client2]
ID-type= IDV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0
Once again we are specifying the networks. If these do not match on both ends for each client, a tunnel could be made incorrectly. And now we do the General and Transforms.
[General]
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /usr/local/etc/isakmpd/isakmpd.policy
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
In the General section, you see it’s the same as the concentrator except that the policy path is different and there isn’t a Listen-on line. Notice the path of the isakmpd.policy file. You can see we set it to the default path that would be used under FreeBSD. If it is OpenBSD, then you would set it as /etc/isakmpd/isakmpd.policy.
Firewall Setup
Now that we have this much, we will go through a test run, but before we do we need to set the firewall to allow these transmissions. Under OpenBSD’s pf, we will add these lines.
pass in quick on $external inet proto udp from any to any port = 500
pass in quick on $external inet proto esp from any to any
pass out on $external inet proto udp from any to any port = 500
pass out on $external inet proto esp from any to any
“$External” is your external interface that the connections will come through, usually the interface acting as the WAN connection. Now under FreeBSD’s IPFW, we will add these rules.
ipfw add allow udp from any to any 500
ipfw add allow udp from any 500 to any
ipfw add allow esp from any to any
Now that we have that set, we need to add routes to and from the internal networks. Keep in mind that the connection will go over an internal address. For instance, on the concentrator, we will add these routes assuming the internal NIC IP is 10.0.1.1.
route add 10.0.2.0/24 10.0.1.1
route add 10.0.3.0/24 10.0.1.1
On the clients we will set some similar.
Client1
route add 10.0.1.0/24 10.0.2.1
route add 10.0.3.0/24 10.0.2.1
Client2
route add 10.0.1.0/24 10.0.3.1
route add 10.0.2.0/24 10.0.3.1
Test Run
Now to put the configuration files to a test. First start ‘isakmpd’ on the OpenBSD concentrator. Wait for it to completely load all the settings and transforms. You can watch it with ‘top’ and wait for it to hit a 0.0 load.
Once it has, run ‘isakmpd’ on the client. On both systems, they should start without any problems with the ‘isakmpd’ command without any flags. On the OpenBSD system, run ‘ipsecadm show’ to see all the Security Associations made between the clients and concentrator. You can do this on the clients as well to make sure that the tunnel was established. On FreeBSD you want to run ‘setkey –DP’ instead to check the SAs.
The isakmpd.policy File
If you want to lock you VPN down a bit, this is the file you want to use. I’m only going to cover a small amount of the file to get you use to the basics of the file. You can learn more from the keynote, and isakmpd.policy man pages.
Like the isakmpd.conf, you need to add this file to the isakmpd/ directory. Make sure that you isakmpd.conf does point to the correct location.
KeyNote-Version: 2
Authorizer: “POLICY”
Licensees: “passphrase:passphrase” || “passphrase:passphrase2”
Conditions: app_domain == “IPsec policy” -> “true”;
This is as basic as it gets for a secure policy. You can see the pass phrases for both client1 and client2 under the Licensees section. Then under the conditions, the app domain must be IPsec policy. You can add other conditions like the type of algorhythm and full-qualified domain names. The pass phrase can also be changed to a MD5 Hex pass phrase using the md5 program. The licensees can also use certificates for authentication. Use this next one on the clients.
Comment: the most basic policy.
Authorizer: "POLICY"
This one offers an open policy, and can be used on the concentrator for testing purposes.
Troubleshooting
In this section I’ll cover some common problems and solutions, as well as some things to check first.
First thing first, when you are having a problem with anything, check your isakmpd.conf files. If areas don’t match up correctly, problems can occur. These files are case-sensitive, and hate spaces. If you have a space after a pass phrase in the authentication section, it becomes part of the pass phrase. Go through all the isakmpd.conf files with vi, and use Shift-4 to go to the end of the line and delete any spaces at the end of each line.
Next, make sure all your transforms match. If one is trying to encrypt different from one end, it will not provide the tunnel. Also, check your routes. Make sure you have a route to the vpn network, and client networks. If you think there is a problem with the policy file, use the one above for the clients as the policy file for the concentrator.
Debugging
If you are still having trouble with your VPN setup, or wish to see what goes on you can use the ISAKMPD debugging tool. Use the command “isakmpd –d” for a slight verbose output, or “isakmpd –d –DA=99” for a full verbose output. The full output shows it initializing, reading the conf, and what it’s doing during client connections. This can be very helpful when trying to find a specific problem with your setup.
If you are planning on using FreeBSD, there are a few things that need to be done. First you need to go to /usr/ports/security/keynote and install. Then you have a few things to be compiled to the kernel. You need to add these to the kernel configuration.
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security
Once you have placed that in your kernel, compile the new kernel, and reboot to apply the new settings.
Now we move to the configurations. First we want to make the directory /etc/isakmpd (OpenBSD) or /usr/local/etc/isakmpd (FreeBSD). In the new directory, you want to add these directories: ca/, certs/, crls/, keynote/, and private/. On the concentrator we will make a new file in /etc/isakmpd called isakmpd.conf. It will setup all the client connections, and how the concentrator will take care of incoming connections. First off, we do our Phase 1, section.
[Phase 1]
Default= ISAKMP-peer-default
This sets the default to the peer “default”. Next we go on to Phase 2 connections.
[Phase 2]
Passive-connections= IPsec-vpn-client1, IPsec-vpn-client2
This is showing two passive connections that will be handled. When they are passive, ISAKMPD will not connect based on their IP. This is perfect for clients with dynamic IP addresses.
Now we move to the peer sections.
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
[client1@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase
[client2@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase2
Here we have the peer sections. ISAKMP-peer-default is this system, and the clients are the ones we plan to have connected to the concentrator. We show that this is part of our Phase 1 connection, and that we will be using UDP with the default port of 500. During the setup of the connection, this client will use the Default-aggressive-mode, and use the pass phrase “passphrase”.
Now we move to the Phase 2 section.
[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client1
[IPsec-vpn-client2]
Phase= 2
ISAKMP-peer= client2@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client2
Here we have the two clients that will connect, but with a bit more configuration. If you notice, the IPsec-vpn-client1 is the same as the Passive Connection IPsec-vpn-client1. When the connection is being checked, it sees the passive connection, and come here for more configuration parameters. Also notice the ISAKMP-peer. If you go back up to our Phase 1 section, you will see we have a client1@vpn section, where this also looks for more settings. Next are the Local and Remote IDs. This will be our next section.
[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[Net-client1]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0
[Net-client2]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0
As you can see, these sections are also bonded to from other sections. This tells ISAKMPD what network the tunnel will be connected to from that client. After that we want to add our General configuration section.
[General]
Listen-on= 66.66.99.231
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/isakmpd.policy
Here we have the IP address that ISAKMPD will listen on, how many retransmits will be made during the connection process, how long it will wait for a key exchange during the connection process in seconds, and the check-interval checks all the connections every 300 seconds to make sure they are still live. The policy file path is what you should set it to for OpenBSD. I’ll talk more about FreeBSD later. Last part we will deal with in our configuration is the transforms.
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
Here is where the connection methods come into play. If you notice Phase 1 connections are using the Default Aggressive Mode. Even though aggressive mode is less secure than the alternative, Main Mode, it is quick, and allows slower concentrators to authenticate connections quicker. Here the section has ISAKMPD use 3DES and SHA for this phase. In Phase 2 we use the Default Quick Mode, which pushes it into the 3DES SHA Suite. The QM-ESP-3DES-SHA-SUITE means that we are using the ESP protocol with 3DES as the cipher for encryption, and SHA as the hash. Now this is the most basic setup for encryption. You can go as far as explicitly setting every algorythm to a certain purpose and using suites that encrypt the tunnel multiple times. You can find more in the OpenBSD isakmpd.conf(5) man page.
The Client Side
Now we will make an isakmpd.conf file for the clients. In OpenBSD we will create this file in /etc/isakmpd/, and /usr/local/etc/isakmpd/ for FreeBSD. These are the default directories that the ISAKMPD program will look for these files, so it will make it easy on your self to add them accordingly. Once again, we will start with the Phase 1 connections.
[Phase 1]
66.66.99.231= ISAKMP-peer-vpn
This of course matches the connection name of our concentrator “vpn”. This is the connection the client will make. Now we go to Phase 2 connections.
[Phase 2]
Connections= IPsec-client1-vpn,IPsec-client1-client2
This saying that this client, client1, will try to connect to both “vpn” and “client2”. Now to the Phase 1 peers section
[ISAKMP-peer-vpn]
Phase= 1
ID= client1@vpn
Transport= udp
Address= 66.66.99.231
Configuration= Default-aggressive-mode
Authentication= passphrase
Here it takes the Phase 1 connection, and connects to the IP 66.66.99.231, uses the Aggressive Mode to connect (Which is what is set on the concentrator end) and authenticates with the pass phrase “passphrase” to identify itself. We also need to add a section for the "client1@vpn" section.
[client1@vpn]
ID-type= USER_FQDN
Name= client1@vpn
Next we go to the Phase 2 section.
[IPsec-client1-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-client1-client2]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-client2
Here the client tells the concentrator what clients it plans to connect to, and what network it will connect to (Local) and what network it is (Remote). As you can see the peer is set to the concentrator, so that it gets it’s connections from there. Just like the concentrator’s configuration file, we’ll add a Client ID section.
[Net-client1]
ID-Type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0
[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[Net-client2]
ID-type= IDV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0
Once again we are specifying the networks. If these do not match on both ends for each client, a tunnel could be made incorrectly. And now we do the General and Transforms.
[General]
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /usr/local/etc/isakmpd/isakmpd.policy
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
In the General section, you see it’s the same as the concentrator except that the policy path is different and there isn’t a Listen-on line. Notice the path of the isakmpd.policy file. You can see we set it to the default path that would be used under FreeBSD. If it is OpenBSD, then you would set it as /etc/isakmpd/isakmpd.policy.
Firewall Setup
Now that we have this much, we will go through a test run, but before we do we need to set the firewall to allow these transmissions. Under OpenBSD’s pf, we will add these lines.
pass in quick on $external inet proto udp from any to any port = 500
pass in quick on $external inet proto esp from any to any
pass out on $external inet proto udp from any to any port = 500
pass out on $external inet proto esp from any to any
“$External” is your external interface that the connections will come through, usually the interface acting as the WAN connection. Now under FreeBSD’s IPFW, we will add these rules.
ipfw add allow udp from any to any 500
ipfw add allow udp from any 500 to any
ipfw add allow esp from any to any
Now that we have that set, we need to add routes to and from the internal networks. Keep in mind that the connection will go over an internal address. For instance, on the concentrator, we will add these routes assuming the internal NIC IP is 10.0.1.1.
route add 10.0.2.0/24 10.0.1.1
route add 10.0.3.0/24 10.0.1.1
On the clients we will set some similar.
Client1
route add 10.0.1.0/24 10.0.2.1
route add 10.0.3.0/24 10.0.2.1
Client2
route add 10.0.1.0/24 10.0.3.1
route add 10.0.2.0/24 10.0.3.1
Test Run
Now to put the configuration files to a test. First start ‘isakmpd’ on the OpenBSD concentrator. Wait for it to completely load all the settings and transforms. You can watch it with ‘top’ and wait for it to hit a 0.0 load.
Once it has, run ‘isakmpd’ on the client. On both systems, they should start without any problems with the ‘isakmpd’ command without any flags. On the OpenBSD system, run ‘ipsecadm show’ to see all the Security Associations made between the clients and concentrator. You can do this on the clients as well to make sure that the tunnel was established. On FreeBSD you want to run ‘setkey –DP’ instead to check the SAs.
The isakmpd.policy File
If you want to lock you VPN down a bit, this is the file you want to use. I’m only going to cover a small amount of the file to get you use to the basics of the file. You can learn more from the keynote, and isakmpd.policy man pages.
Like the isakmpd.conf, you need to add this file to the isakmpd/ directory. Make sure that you isakmpd.conf does point to the correct location.
KeyNote-Version: 2
Authorizer: “POLICY”
Licensees: “passphrase:passphrase” || “passphrase:passphrase2”
Conditions: app_domain == “IPsec policy” -> “true”;
This is as basic as it gets for a secure policy. You can see the pass phrases for both client1 and client2 under the Licensees section. Then under the conditions, the app domain must be IPsec policy. You can add other conditions like the type of algorhythm and full-qualified domain names. The pass phrase can also be changed to a MD5 Hex pass phrase using the md5 program. The licensees can also use certificates for authentication. Use this next one on the clients.
Comment: the most basic policy.
Authorizer: "POLICY"
This one offers an open policy, and can be used on the concentrator for testing purposes.
Troubleshooting
In this section I’ll cover some common problems and solutions, as well as some things to check first.
First thing first, when you are having a problem with anything, check your isakmpd.conf files. If areas don’t match up correctly, problems can occur. These files are case-sensitive, and hate spaces. If you have a space after a pass phrase in the authentication section, it becomes part of the pass phrase. Go through all the isakmpd.conf files with vi, and use Shift-4 to go to the end of the line and delete any spaces at the end of each line.
Next, make sure all your transforms match. If one is trying to encrypt different from one end, it will not provide the tunnel. Also, check your routes. Make sure you have a route to the vpn network, and client networks. If you think there is a problem with the policy file, use the one above for the clients as the policy file for the concentrator.
Debugging
If you are still having trouble with your VPN setup, or wish to see what goes on you can use the ISAKMPD debugging tool. Use the command “isakmpd –d” for a slight verbose output, or “isakmpd –d –DA=99” for a full verbose output. The full output shows it initializing, reading the conf, and what it’s doing during client connections. This can be very helpful when trying to find a specific problem with your setup.